Initial source: RAPPORT Server-App v0.1.0

- Tauri-2-Admin-UI fuer den Rapport-Compose-Stack
- React-Frontend (JSX, kein TS) mit Material-Symbols-Icons
- Service-Cards mit Live-Stats (CPU/RAM), Logs, Restart/Stop
- Backup-/Restore-System mit pg_dumpall + Retention
- Container-Auto-Updates mit Pre-Backup
- App-Auto-Updater (Tauri signiert) gegen latest.json im Repo-Root
- HTTPS-WebUI (axum/rustls) mit Basic-Auth, CSRF, Rate-Limit, Security-Headers
- Setup-Wizard: lädt Docker+Colima+Lima direct von GitHub/docker.com nach ~/.rapport/bin/
- Tray-Modus + macOS-Notifications + Auto-Recovery
- Login-Item via tauri-plugin-autostart

scripts/download-binaries.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+# Laedt fuer die laufende Plattform die Service-Binaries und legt sie unter
+# binaries/<platform>/ ab. Pinning kommt aus binaries/manifest.json.
+#
+# AKTUELL implementiert:
+#   - postgres : echt, via Zonky embedded-postgres-binaries (Maven Central)
+#   - alle anderen : Bash-Placeholder (sleep loop) bis ihre Quellen verdrahtet sind
+#
+# Verzeichnis-Layout fuer Postgres: binaries/<platform>/postgres-bundle/
+#   ├── bin/   (postgres, initdb, psql, pg_dumpall, ...)
+#   ├── lib/   (libpq + Sprach-Plugins)
+#   └── share/ (initdb-Templates etc.)
+
+set -euo pipefail
+cd "$(dirname "$0")/.."
+
+uname_s=$(uname -s)
+uname_m=$(uname -m)
+
+case "$uname_s-$uname_m" in
+  Darwin-arm64)  PLATFORM="macos-aarch64"; PG_TARGET="aarch64-apple-darwin"; PGRST_ASSET="macos-aarch64" ;;
+  Darwin-x86_64) PLATFORM="macos-x86_64";  PG_TARGET="x86_64-apple-darwin";  PGRST_ASSET="macos-x86-64" ;;
+  Linux-x86_64)  PLATFORM="linux-x86_64";  PG_TARGET="x86_64-unknown-linux-gnu"; PGRST_ASSET="ubuntu-aarch64" ;;
+  *) echo "Unsupported platform: $uname_s-$uname_m"; exit 1 ;;
+esac
+
+DEST="binaries/$PLATFORM"
+mkdir -p "$DEST"
+
+# ---------------------------------------------------------------------------
+# Postgres (native binary via theseus-rs/postgresql-binaries)
+# Liefert komplettes bin/ (postgres, initdb, psql, pg_dump, pg_dumpall, ...).
+# ---------------------------------------------------------------------------
+PG_VERSION="15.7.0"   # keep in sync with binaries/manifest.json
+PG_BUNDLE_DIR="$DEST/postgres-bundle"
+PG_VERSION_STAMP="$PG_BUNDLE_DIR/.rapport-version"
+
+if [[ -x "$PG_BUNDLE_DIR/bin/postgres" && "$(cat "$PG_VERSION_STAMP" 2>/dev/null)" == "theseus-$PG_VERSION-$PG_TARGET" ]]; then
+  echo "Postgres bundle already present (theseus $PG_VERSION $PG_TARGET): $PG_BUNDLE_DIR"
+else
+  echo "Downloading Postgres $PG_VERSION ($PG_TARGET) from theseus-rs ..."
+  TMP=$(mktemp -d)
+  trap 'rm -rf "$TMP"' EXIT
+  URL="https://github.com/theseus-rs/postgresql-binaries/releases/download/$PG_VERSION/postgresql-$PG_VERSION-$PG_TARGET.tar.gz"
+  curl --fail --location --silent --show-error -o "$TMP/pg.tar.gz" "$URL"
+
+  rm -rf "$PG_BUNDLE_DIR"
+  mkdir -p "$PG_BUNDLE_DIR"
+  tar -xzf "$TMP/pg.tar.gz" -C "$PG_BUNDLE_DIR" --strip-components=1
+  echo "theseus-$PG_VERSION-$PG_TARGET" > "$PG_VERSION_STAMP"
+  echo "Postgres extracted to $PG_BUNDLE_DIR"
+fi
+
+# ---------------------------------------------------------------------------
+# PostgREST (native binary via PostgREST GitHub releases)
+# ---------------------------------------------------------------------------
+PGRST_VERSION="v14.12"   # keep in sync with binaries/manifest.json
+PGRST_BIN="$DEST/postgrest"
+PGRST_STAMP="$DEST/.postgrest-version"
+
+if [[ -x "$PGRST_BIN" && "$(cat "$PGRST_STAMP" 2>/dev/null)" == "$PGRST_VERSION-$PGRST_ASSET" ]]; then
+  echo "PostgREST already present ($PGRST_VERSION-$PGRST_ASSET): $PGRST_BIN"
+else
+  echo "Downloading PostgREST $PGRST_VERSION ($PGRST_ASSET) ..."
+  TMP_R=$(mktemp -d)
+  URL="https://github.com/PostgREST/postgrest/releases/download/$PGRST_VERSION/postgrest-$PGRST_VERSION-$PGRST_ASSET.tar.xz"
+  curl --fail --location --silent --show-error -o "$TMP_R/pgrst.tar.xz" "$URL"
+  tar -xJf "$TMP_R/pgrst.tar.xz" -C "$TMP_R"
+  mv "$TMP_R/postgrest" "$PGRST_BIN"
+  chmod +x "$PGRST_BIN"
+  rm -f "$DEST/postgrest.is-placeholder"
+  echo "$PGRST_VERSION-$PGRST_ASSET" > "$PGRST_STAMP"
+  rm -rf "$TMP_R"
+  echo "PostgREST extracted to $PGRST_BIN"
+fi
+
+# Reste der ehemaligen Placeholder aufraeumen (gotrue/realtime/storage-api/kong/nginx
+# laufen jetzt als Docker-Container und brauchen kein lokales Binary mehr).
+for stale in gotrue realtime storage-api kong nginx; do
+  rm -f "$DEST/$stale" "$DEST/$stale.is-placeholder"
+done
+
+for svc in "${PLACEHOLDER_SERVICES[@]}"; do
+  target="$DEST/$svc"
+  if [[ -x "$target" && ! -f "$target.is-placeholder" ]]; then
+    continue
+  fi
+  cat > "$target" <<'PLACEHOLDER'
+#!/usr/bin/env bash
+echo "placeholder: $(basename "$0") would run here"
+sleep 999999
+PLACEHOLDER
+  chmod +x "$target"
+  touch "$target.is-placeholder"
+done
+
+echo "Done."
+echo "  Postgres: $PG_BUNDLE_DIR (real)"
+echo "  GoTrue:   $GOTRUE_BIN (real)"
+echo "  Andere:   $DEST/{postgrest,realtime,storage-api,kong,nginx} (placeholder)"

scripts/package.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# Build + Code-Signing-Helper.
+# Ablauf:
+#   1. ./scripts/download-binaries.sh   (laedt Platzhalter / spaeter echte Binaries)
+#   2. npm install
+#   3. npm run build                    (Vite-Frontend-Build)
+#   4. cargo tauri build                (Tauri-Bundle)
+#   5. (macOS) codesign + notarize      (nur wenn APPLE_ID/TEAM_ID gesetzt)
+
+set -euo pipefail
+cd "$(dirname "$0")/.."
+
+echo "==> binaries"
+./scripts/download-binaries.sh
+
+echo "==> npm install"
+npm install
+
+echo "==> tauri build"
+npm run tauri:build
+
+if [[ "$(uname -s)" == "Darwin" && -n "${APPLE_ID:-}" && -n "${APPLE_TEAM_ID:-}" ]]; then
+  echo "==> notarize (TODO — bundle path + xcrun notarytool aufruf)"
+  # xcrun notarytool submit ... --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --wait
+else
+  echo "Skipping macOS notarization (APPLE_ID/APPLE_TEAM_ID not set)."
+fi
+
+echo "Done. Bundle: src-tauri/target/release/bundle/"

scripts/pull-images.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# Pulled die Docker-Images aller Rapport-Services vorab.
+# Image-Tags sind 1:1 aus SERVER-CONTAINER/docker-compose.yml uebernommen
+# (und in src-tauri/src/services.rs hardgepinnt). Sollten die hier geaendert
+# werden, muss services.rs mitziehen.
+#
+# Optional: vor `tauri:dev` einmal laufen lassen, damit der erste Start-Klick
+# nicht warten muss bis der Pull durch ist.
+
+set -euo pipefail
+
+IMAGES=(
+  "supabase/postgres:15.8.1.020"
+  "supabase/gotrue:v2.158.1"
+  "postgrest/postgrest:v12.2.0"
+  "supabase/realtime:v2.30.34"
+  "supabase/storage-api:v1.11.13"
+  "kong:2.8.1"
+  "nginx:1.27-alpine"
+)
+
+if ! command -v docker >/dev/null 2>&1; then
+  echo "docker CLI nicht gefunden. Installiere Docker / OrbStack / Colima zuerst." >&2
+  exit 1
+fi
+
+if ! docker info >/dev/null 2>&1; then
+  echo "Docker-Daemon laeuft nicht. Starte OrbStack/Colima/Docker Desktop." >&2
+  exit 1
+fi
+
+for img in "${IMAGES[@]}"; do
+  echo "==> pulling $img"
+  docker pull "$img"
+done
+
+echo "Done."

scripts/release.sh

@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+# Release-Pipeline: Version bumpen, signiertes Bundle bauen, latest.json generieren.
+#
+# Usage:   ./scripts/release.sh <version>
+# Example: ./scripts/release.sh 0.2.0
+#
+# Vorausgesetzt:
+#   - Signing-Key in ~/.rapport-signing/server-app.key (chmod 600)
+#   - tauri.conf.json hat den passenden Pubkey unter plugins.updater.pubkey
+#   - Docker-Daemon laeuft (fuer eventuelle Builds), Node + Rust installiert
+#
+# Output:
+#   - Signiertes Bundle in src-tauri/target/release/bundle/
+#   - latest.json im Repo-Root
+#   - Commit-Hinweise in der Konsole
+
+set -euo pipefail
+cd "$(dirname "$0")/.."
+
+if [[ $# -ne 1 ]]; then
+  echo "Usage: $0 <version>"
+  echo "Example: $0 0.2.0"
+  exit 1
+fi
+
+VERSION="$1"
+KEY_PATH="${TAURI_SIGNING_PRIVATE_KEY_PATH:-$HOME/.rapport-signing/server-app.key}"
+
+if [[ ! -f "$KEY_PATH" ]]; then
+  echo "Signing-Key nicht gefunden: $KEY_PATH" >&2
+  echo "Generate via: tauri signer generate -w $KEY_PATH" >&2
+  exit 1
+fi
+
+# --- 1. Version in allen Manifesten bumpen ---------------------------------
+echo "==> Bumpe Version auf $VERSION"
+
+# package.json: leeres "version"-Feld auch behandeln
+python3 - <<PY
+import json, pathlib
+p = pathlib.Path("package.json")
+data = json.loads(p.read_text())
+data["version"] = "$VERSION"
+p.write_text(json.dumps(data, indent=2) + "\n")
+PY
+
+python3 - <<PY
+import json, pathlib
+p = pathlib.Path("src-tauri/tauri.conf.json")
+data = json.loads(p.read_text())
+data["version"] = "$VERSION"
+p.write_text(json.dumps(data, indent=2) + "\n")
+PY
+
+# Cargo.toml: nur die TOP-Level [package] version (nicht Deps)
+sed -i.bak -E '0,/^version = ".*"/{s/^version = ".*"/version = "'"$VERSION"'"/}' src-tauri/Cargo.toml
+rm -f src-tauri/Cargo.toml.bak
+
+# --- 2. Build (signiert automatisch durch die env-Var) ---------------------
+echo "==> Build + Sign"
+# tauri-bundler liest fuer den Updater-Tarball ausschliesslich TAURI_SIGNING_PRIVATE_KEY
+# (Content), nicht _PATH. Wir injecten den File-Inhalt direkt.
+export TAURI_SIGNING_PRIVATE_KEY="$(cat "$KEY_PATH")"
+export TAURI_SIGNING_PRIVATE_KEY_PASSWORD=""
+
+npm install --silent
+npm run tauri:build
+
+# --- 3. Artefakte finden ---------------------------------------------------
+BUNDLE_DIR="src-tauri/target/release/bundle"
+DMG=$(find "$BUNDLE_DIR/dmg" -name "*.dmg" 2>/dev/null | head -n 1 || true)
+TARBALL=$(find "$BUNDLE_DIR/macos" -name "*.tar.gz" 2>/dev/null | head -n 1 || true)
+SIG=$(find "$BUNDLE_DIR/macos" -name "*.tar.gz.sig" 2>/dev/null | head -n 1 || true)
+
+if [[ -z "$TARBALL" || -z "$SIG" ]]; then
+  echo "Updater-Tarball oder Signatur nicht gefunden!" >&2
+  echo "Erwartet unter: $BUNDLE_DIR/macos/*.tar.gz(.sig)" >&2
+  echo "Bundle-Output:" >&2
+  ls -la "$BUNDLE_DIR" 2>&1 >&2 || true
+  exit 1
+fi
+
+SIGNATURE=$(cat "$SIG")
+PUB_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+DOWNLOAD_URL="https://git.kgva.ch/karim/RAPPORT-SERVER-APP/releases/download/v${VERSION}/$(basename "$TARBALL")"
+
+# --- 4. latest.json generieren --------------------------------------------
+cat > latest.json <<JSON
+{
+  "version": "$VERSION",
+  "notes": "Release $VERSION",
+  "pub_date": "$PUB_DATE",
+  "platforms": {
+    "darwin-aarch64": {
+      "signature": "$SIGNATURE",
+      "url": "$DOWNLOAD_URL"
+    }
+  }
+}
+JSON
+
+echo ""
+echo "================================================================"
+echo "Release $VERSION fertig."
+echo ""
+echo "Artefakte:"
+[[ -n "$DMG" ]] && echo "  DMG:     $DMG"
+echo "  Tarball: $TARBALL"
+echo "  Sig:     $SIG"
+echo "  latest.json (im Repo-Root) — committen und nach git.kgva.ch pushen"
+echo ""
+echo "Naechste Schritte:"
+echo "  1. gh release create v$VERSION $TARBALL $SIG ${DMG:+$DMG} -t \"v$VERSION\" -n \"Release $VERSION\""
+echo "  2. git add latest.json package.json src-tauri/{Cargo.toml,tauri.conf.json}"
+echo "  3. git commit -m \"Release v$VERSION\" && git push"
+echo "================================================================"